SlideShare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our User Agreement and Privacy Policy.
SlideShare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our Privacy Policy and User Agreement for details.
Successfully reported this slideshow.
Activate your 14 day free trial to unlock unlimited reading.
A Strategy for Addressing Cyber Security Challenges
Talk that Prof. Mustaque Ahamad from GaTech gave at Global Cybersecurity Leaders Program http://www.cisoacademy.com/gclp2-prof-mustaque-ahamad-april-2015/
Talk that Prof. Mustaque Ahamad from GaTech gave at Global Cybersecurity Leaders Program http://www.cisoacademy.com/gclp2-prof-mustaque-ahamad-april-2015/
A Strategy for Addressing Cyber Security Challenges
1.
A
Strategy
for
Addressing
Cyber
Security
Challenges
Mustaque
Ahamad
Professor
of
Computer
Science,
Georgia
Ins>tute
of
Technology
Global
Professor
of
Engineering,
New
York
University
Abu
Dhabi
Co-‐founder
and
Chief
Scien>st,
Pindrop
Security
2.
A
Couple
of
Observa>ons
• Cyber
security
has
become
an
extremely
important
problem
for
people,
businesses
and
governments.
• Addressing
cyber
security
challenges
presents
serious
challenges.
• Cyber
now
reaches
into
cri>cal
physical
systems.
• Cyber
security
is
going
to
be
a
journey,
not
a
des>na>on.
3.
Are
Things
Really
Bad?
• Growing
sophis>ca>on
of
the
threat
landscape
– Cyber
criminals,
hack>vits,
terrorists
and
na>on-‐states
– Cyber
crime
costs
are
reaching
half
a
trillion
dollars
(In
India,
0.21%
of
GDP,
McAfee
2014
Report)
– Greatest
transfer
of
wealth
(Keith
Alexander,
hXp://foreignpolicy.com/2012/07/09/nsa-‐chief-‐cybercrime-‐cons>tutes-‐the-‐greatest-‐transfer-‐of-‐wealth-‐in-‐history/
)
• Complex
technology
ecosystem
– “Reflec>ons
on
trus>ng
trust”
• People,
processes
and
coordina>on
across
mul>ple
stakeholders
4.
Threats
+
Vulnerabili>es
=>
AXacks
• Can
we
make
threats
go
away?
• AXribu>on
is
extremely
difficult
• Global
and
transna>onal
• How
can
we
address
vulnerabili>es?
• Security
errors
in
sofware
(over
1700
entries
in
NVD
in
last
3
months)
• Asymmetry
–
aXackers
only
need
to
find
one
bug,
we
need
to
fix
all
• People
are
weak
links
• Only
higher
assurance,
no
perfect
security
– Stronger
preven>on
and
early
detec>on
–
Faster
recovery
and
remedia>on
5.
So,
What
Can
We
Do?
• Educa>on
– Developing
the
“security
mindset”
– Undergraduate
and
graduate
programs
• Research
– Rapidly
evolving
field
• Policy,
legal
and
regula>on
– It
is
much
more
than
technology
6.
Educa>ng
Cyber
Security
Professionals
• US
Na>onal
Ini>a>ve
for
Cybersecurity
Educa>on
(NICE)
hXp://csrc.nist.gov/nice/framework/
7.
Capacity
Building
for
Educa>ng
Cyber
Security
Professionals
• What
do
we
do?
– Undergraduate
or
graduate
programs?
– Integra>ng
security
concepts
in
CS
curriculum?
– Voca>onal
programs?
•
How
do
we
do
it?
– So,
where
do
we
find
cyber
security
faculty?
– Developing
hands
on
projects
and
laboratories
• US
Response
– Centers
of
Excellence
Program
(NSA/DHS)
– Scholarship-‐for-‐Service
(SFS)
Program)
– NSF
SaTC
Educa>on
Projects
• Curriculum
development,
sharing,
workshops
etc.
8.
Research
Capacity
Building
• Evolving
threat
landscape
and
rapidly
changing
technologies
– Gelng
ahead
of
emerging
threats
– “Test
and
verify”
rather
than
“trust
but
verify”
• Diverse
set
of
research
challenges
– Trustworthiness
of
technology
to
human
dimension
• Real-‐world
impact
of
research
– Tech
transfer
and
commercializa>on
9.
Example
I:
Malware
Analysis
• Scalable
malware
analysis
system
processes
approximately
250K
samples
a
day
• Extrac>ng
features
from
communica>on
paXerns
• Big
data
due
to
deep
packet
analysis
and
event
volume
• Machine
learning
for
aXribu>on
• Visualiza>on
and
ac>onable
intelligence
Mariposa
Botnet
Tracking
and
Takedown
10.
Example
II:
Data-‐Driven
Cyber
Risk
• Collect
cyber
risk
relevant
data
from
mul>ple
sources
– Vulnerabili>es
– Exploit
kits
and
malware
– AXack
data
(public
and
private)
• Analy>cs
and
visualiza>on
– Lean
back
and
lean
forward
Calendar
view
of
reported
vulnerabili>es
11.
Na>onal
R&D
Strategy:
US
Example
• Na>onal
Science
Founda>on
Secure
and
Trustworthy
(SaTC)
– Launched
afer
developing
a
na>onal
strategy
(
hXps://www.whitehouse.gov/sites/default/files/microsites/ostp/fed_cybersecurity_rd_strategic_plan_2011.pdf)
– Interdisciplinary
including
behavioral
and
economic
aspects
• DHS,
DARPA
and
NSA
Ini>a>ves
– Cri>cal
infrastructure
security
(CPS)
– Resilient
and
transparent
compu>ng
– Science
of
security
• Networking
and
Informa>on
Technology
Research
and
Development
(NITRD)
Program
– Coordinated
across
mul>ple
agencies
– High
level
goal
is
to
maintain
US
technological
leadership
in
this
field
12.
Cyber
Security
Policy
• Policy
development
is
as
important
as
best
technical
safeguards
• Should
companies
and
government
agencies
required
to
prac>ce
certain
level
of
cyber
hygiene?
• Informa>on
sharing
and
coordina>on
• Privacy
• Legal
and
enforcement
issues
13.
Lessons
Learned
• Educa>on
capacity
building
– Aggressively
support
centers
like
CERC
IIIT
Delhi
– CS
curriculum
needs
to
be
augmented
with
cyber
security
offerings
at
all
levels
– “Educa>ng
the
educators”
–
summer
schools,
workshops
and
hosted
programs
– What
do
we
do
about
faculty?
• Incen>ves
for
CS
faculty
members
to
shif/expand
their
research
into
cyber
security
• Be
crea>ve
(professor
of
prac>ce,
global
professor
etc.)
14.
Lessons
Learned
Contd.
• Research
capacity
building
– You
cannot
be
a
major
player
without
a
strong
research
base
• How
many
papers
at
security
conferences
from
India?
– Launch/seed
a
few
ambi>ous
(and
high
risk)
research
projects
like
NSF’s
fron>ers
– Start/get
security
conferences
to
India
to
grow
the
community
– Applied
research
exper>se
• Cannot
only
rely
on
security
vendor
professionals
for
crisis
handling
• CDC
for
cyber,
CERT
2.0?
– Coordina>on
across
Na>onal
Labs,
DRDO??
– Home
grown
cyber
security
companies??
15.
Lessons
Learned
Contd.
• Cyber
security
is
much
more
than
technology
– Policy,
regulatory
and
legal
dimensions
– Cyber
security
maturity
model
and
best
prac>ces
– Preparedness
assessment
– Conversa>ons
at
the
highest
level
(WEF
ini>a>ve)
– Informa>on
sharing,
coordina>on
and
mutual
aid
– Informal
trust
networks
16.
Conclusions
• Cyber
risk
ranks
among
the
top
global
risks
(2015
WEF
Global
risks
report)
• Na>onal
response
is
of
cri>cal
importance
• Need
to
move
at
“network
speed”
• It
is
all
about
capacity
building
• Ignore
research
at
your
own
peril